Shorewall and static routing?
kenneth at mail1.ttak.org
Sat Aug 11 23:39:47 MDT 2007
Sorry for the delay in my response.
Gabriel Gunderson wrote:
> On Fri, 2007-08-10 at 10:56 -0600, Kenneth Burgener wrote:
>> I have in my rules:
>> DNAT net lan:10.10.10.3 udp 1194 -
> This looks like a shorewallism. What does the 65.X.X.X stand for? Is
> that your public IP obfuscated? If so, I assume the whole thing is
> spelled out in your config?
Yes, that is my public Qwest IP address obfuscated.
>> Here is how I am adding a static route:
>> route add -net 10.10.20.0 netmask 255.255.255.0 gw 10.10.10.3 dev
> This shouldn't need the "dev eth1" What do you get without it. Still, I
> doubt it makes any difference.
Yeah, adding the "dev eth1" does not appear to make any difference.
>> My policy has:
>> $FW net ACCEPT
>> $FW lan ACCEPT
>> lan $FW ACCEPT
>> lan net ACCEPT
>> I watch the message log, and it does not appear that shorewall is
>> dropping any connections
> If you are dropping packet anywhere? If so, are they *ALL* being
> logged? When I say *ALL* I mean *ALL*. Otherwise, it's like a
> blackhole and troubleshooting is a nightmare.
They are not being logged anywhere I can tell. To me it seems that they
are just disappearing into a black hole.
>> so it appears that I am just doing the routing wrong.
> Keep it simple. Try pinging the VPN gw (10.10.20.1) from the 10.10.10.X
> subnet without using any OpenVPN stuff. First establish the route and
> then try for a VPN connection. Run tcpdump with the right filters on
> both the router and the VPN gw (don't tell me OpenVPN is running on
> Windows and doesn't have tcpdump!).
I ran tcpdump on the gateway, and as far as I can tell I can see the
traffic coming in, and being routed back out. I am just not sure where
it is being routed to.
> Let us know what you find out.
Thanks for your response.
More information about the PLUG